Universal access layer for accessing heterogeneous data stores

ABSTRACT

Methods and systems disclosed herein describe a universal access layer that allows a plurality of applications to obtain data and/or information from a plurality of heterogeneous data stores. The universal access layer may include one or more application data objects to validate requests, transform a format of the request, determine which data stores comprise the requested data and/or information, encrypt the request, combine responses into a single response, and retransform the response prior to sending it to the requesting application. By using the universal access layer, applications may improve the speed with which they access data and/or information from the plurality of heterogeneous data stores.

FIELD OF USE

Aspects of the disclosure relate generally to an abstraction layer and,more specifically, to an abstraction layer for accessing a plurality ofheterogeneous data stores.

BACKGROUND

Data and/or information may be stored in a plurality of different,heterogeneous data stores. This may be a function of different businessunits having different storage requirements and/or new data storagetechnologies being rolled out over time. Because of the different datastores, application developers may have to write and/or modify code toaccess the data and/or information stored in the heterogeneous datastores. This may lead to errors in retrieving the data and/orinformation, for instance, if the developers are not familiar with theformat of the stored data and/or where the data is stored. This maydegrade the performance of the applications, the underlying network,and/or the data stores themselves.

Aspects described herein may address these and other problems, andgenerally improve the efficiency and performance of operations beingperformed on a plurality of heterogeneous data stores.

SUMMARY

The following presents a simplified summary of various aspects describedherein. This summary is not an extensive overview, and is not intendedto identify key or critical elements or to delineate the scope of theclaims. The following summary merely presents some concepts in asimplified form as an introductory prelude to the more detaileddescription provided below. Corresponding apparatus, systems, andcomputer readable media are also within the scope of the disclosure.

Example methods and systems described herein disclose a universal accesslayer that may provide an abstraction layer between applications and oneor more data stores. The universal access layer may allow an applicationto communicate with one or more data stores while the application mayemploy a different data format than at least one data store. In thisregard, the universal access layer may transform the request to asuitable format for the data store and reformat the response for theapplication. Additionally, the universal access layer may parse requestsfor data and/or information to determine which of the one or more datastores contain the requested information. The universal access layer maythen transmit separate requests for the data and/or information to eachof the data stores. In response to receiving requests from each of thedata stores, the universal access layer may aggregate the responses intoa single response before sending the requested data and/or informationto the requester. The universal access layer described herein mayimprove the speed with which applications access data and/or informationfrom a plurality of heterogeneous data stores.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described by way of example and not limited inthe accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 shows an example of a system in which one or more aspectsdescribed herein may be implemented;

FIG. 2 shows an example of a computing device in accordance with one ormore aspects described herein;

FIG. 3 shows an example of an authentication process for gaining accessto a resource according to one or more aspects of the disclosure;

FIG. 4 shows an example of the universal access layer handling requestsfor data and/or information from an application according to one or moreaspects of the disclosure;

FIG. 5 shows an example of a process for handling a request for dataand/or information according to one or more aspects of the disclosure;and

FIG. 6 shows an example of a process for handling a response to arequest for data and/or information according to one or more aspects ofthe disclosure.

DETAILED DESCRIPTION

In the following description of the various embodiments, reference ismade to the accompanying drawings, which form a part hereof, and inwhich is shown by way of illustration various embodiments in whichaspects of the disclosure may be practiced. It is to be understood thatother embodiments may be utilized and structural and functionalmodifications may be made without departing from the scope of thepresent disclosure. Aspects of the disclosure are capable of otherembodiments and of being practiced or being carried out in various ways.In addition, it is to be understood that the phraseology and terminologyused herein are for the purpose of description and should not beregarded as limiting. Rather, the phrases and terms used herein are tobe given their broadest interpretation and meaning.

By way of introduction, aspects discussed herein may relate to methodsand techniques for a universal access layer that allows a plurality ofapplications to obtain data and/or information from a plurality ofheterogeneous data stores without any additional code. The universalaccess layer may include one or more application data objects. Theapplication data objects may be used to perform a variety of functions.In particular, the universal access layer may determine which datastores comprise the requested data and/or information and divide therequest into a plurality of requests, each for a different data store.The universal access layer may receive a plurality of responses fromeach of the different stores and combine the plurality of responses intoa single response that is provided to the application. As will becomeapparent from the discussion below, the universal access layer mayimprove the speed with which applications obtain data and/or informationfrom heterogeneous data stores and improve the integrity of the dataand/or information retrieved from those data stores.

Turning to FIG. 1, a system 100 in which a universal access layer may bedeployed is shown. System 100 may include a first computing device 110and a second computing device 120 interconnected to a server 140 vianetwork 130. Additionally, server 140 may be connected to a data store160.

First computing device 110 may be any suitable computing deviceconfigured to perform the particular functions described herein. Forexample, first computing device 110 may be a mobile device, such as acellular phone, a mobile phone, a smart phone, a tablet, or a laptop,and/or a personal computer, such as a terminal computing device, adesktop computing device, etc. First computing device 110 may provide afirst user with access to a variety of applications and services. Forexample, first computing device 110 may provide the first user withaccess to the Internet. Additionally, first computing device 110 mayprovide the first user with one or more applications located thereon,including, for example, application 112. The one or more applicationsmay provide the first user with a plurality of tools and access to avariety of services. For instance, application 112 may be a web browserthat provides the first user with access to the Internet. The webbrowser may allow the first user to access one or more webpages, such asan insurance web page that may provide, for example, one or more ratequotes, insurance policies, etc. In this regard, the insurance web pageserved to the first user via application 112 may allow the first user torequest data and/or information from an insurance provider. The requestmay be transmitted to server 140 via network 130. As will be discussedin greater detail below, server 140 may process the request and providethe first user with a response. The response may include, for example,one or more rate quotes, insurance policies, information about the user,etc. Server 140 may return the response to application 112, which mayprovide the response to the first user.

Second computing device 120 may be similar to the first computing device110 discussed above. In this regard, the second computing device 120 mayinclude any suitable computing device configured to allow a user toexecute software for a variety of purposes as described herein. Secondcomputing device 120 may belong to the first user that accesses firstcomputing device 110, or, alternatively, second computing device 120 maybelong to a second user, different from the first user. The software ofsecond computing device 120 may include one or more web browsers thatprovide access to websites on the Internet. Additionally, oralternatively, second computing device 120 may include an application122. In some embodiments, application 122 may be an application used bya professional in the performance of their duties. For example,application 122 may be an insurance program configured to allow aninsurance agent to request data and/or information (e.g., quotes,insurance policies, etc.) on behalf of clients. In this regard, an agentmay request the data and/or information through application 122. Therequest for data and/or information may be transmitted (e.g., sent) toserver 140 for processing. Based on the request, server 140 may provide(e.g., respond) a response. In some instances, application 122 mayprovide the data and/or information to the agent, who may, in turn,provide the response to the client.

While application 112 and application 122 have been described as forwardfacing (e.g., external) applications, it will be appreciated thatapplication 112 and application 122 may be internal applicationsconfigured to allow employees to obtain data and/or information in theperformance of an employee's job functions. In this regard, application112 may request data and/or information, such as user information,policy information, quote information, etc. As will be discussed ingreater detail below, application 112 and/or application 122 may requestinformation from one or more data stores (e.g., databases, file systems,archives, etc.) via a universal access layer, as will be discussedherein below. The universal access layer may format (e.g., transform)the request, transmit the request to one or more data stores, receiveone or more responses from the one or more data stores, combine the oneor more responses into a single response, and reformat the responsebefore sending it to the requesting application.

Server 140 may be configured to execute one or more applications,processing engines, and/or microservices (e.g., mini-applications,sub-routines, libraries, etc.). Server 140 may be a stand-alone server,a corporate server, or a server located in a server farm orcloud-computing environment. According to some examples, server 140 maybe a virtual server hosted on hardware capable of supporting a pluralityof virtual servers. The one or more applications, processing engines,and/or microservices may perform a variety of processing on behalf ofone or more applications. In one non-limiting example, server 140 may bea backend server for an insurance company. The backend server may beexecuting one or more backend applications (e.g., App 1 142, App 2 144,App n 146, etc.) configured to execute in tandem with one or morefront-end applications (e.g., application 112, application 122). Forexample, one or more backend applications (e.g., App 1 142, App 2 144,App n 146, etc.) may be configured to calculate one or more insurancerates, generate one or more insurance products, and, otherwise, performa plurality of insurance related tasks. In performance of these tasks,the one or more backend applications (e.g., App 1 142, App 2 144, App n146, etc.) may be configured to access data store 160. Each of theapplications (e.g., App 1 142, App 2 144, App n 146, etc.) may include auniversal access layer (e.g., UAL 1 152, UAL 2 154, UAL 3 156). Theuniversal access layer may provide an abstraction layer that allowsapplications to communicate with one or more data stores (e.g., datastore 160). As will be discussed in greater detail below, the universalaccess layer may include one or more application data objects configuredto validate the request for data and/or information, transform a formatof the request (if necessary or desired), determine which data storescomprise the requested data and/or information, encrypt the request (ifnecessary or desired), combine the responses into a single response, andretransform the response prior to sending it to the requestingapplication. By using the universal access layer, applications mayimprove the speed with which they access data and/or information from aplurality of heterogeneous data stores.

Data store 160 may comprise a plurality of heterogeneous data stores.For example, data store 160 may include a first database 162, a seconddatabase 164, a file system 166, and/or an archive 168. First database162 and/or second database 164 may include, but are not limited torelational databases, hierarchical databases, distributed databases,in-memory databases, flat file databases, XML databases, NoSQLdatabases, graph databases, and/or a combination thereof. First database162 and second database 164 may be the same type of database.Alternatively, first database 162 and second database 164 may bedifferent types of databases. First database 162 and/or second database164 may be configured to store data and/or information, including userinformation, such as personally identifiable information (PII) (e.g.,the user's name, social security number, driver's license number,passport number, bank account information, address information, emailaddress(es), phone number, etc.). First database 162 and/or seconddatabase 164 may also be configured to store additional data and/orinformation, including insurance information (e.g., a claims database,an underwriting database, insurance customer database, local informationdatabase, rate worksheets, etc.). File system 166 may define how data isstored and/or retrieved in data store 160. File system 166 may comprisea plurality of data and/or information, including, for example, variousfiles used by the various applications. In this regard, the files mayinclude policy templates, existing policies, etc. Archive 168 may be adistributed file system (e.g., Hadoop) configured to store data and/orinformation, as well as execute a plurality of applications. Archive 168may be configured to record transactions (e.g., database reads, databasewrites) made to the data store 160 via network 130.

Network 130 may include any type of network. In this regard, network 130may include the Internet, a local area network (LAN), a wide areanetwork (WAN), a wireless telecommunications network, a corporatenetwork, a distributed corporate network, and/or any other communicationnetwork or combination thereof. It will be appreciated that the networkconnections shown are illustrative and any means of establishing acommunications link between the computers may be used. The existence ofany of various network protocols such as TCP/IP, Ethernet, FTP, HTTP andthe like, and of various wireless communication technologies such asGSM, CDMA, Wi-Fi, WiMAX and LTE, is presumed, and the various computingdevices described herein may be configured to communicate using any ofthese network protocols or technologies. The data transferred to andfrom various computing devices in system 100 may include secure andsensitive data, such as confidential documents, customers' personallyidentifiable information (PII), and account data. Therefore, it may bedesirable to protect transmissions of such data using secure networkprotocols and encryption, and/or to protect the integrity of the datawhen stored on the various computing devices. For example, a file-basedintegration scheme or a service-based integration scheme may be utilizedfor transmitting data between the various computing devices. Data may betransmitted using various network communication protocols. Secure datatransmission protocols and/or encryption may be used in file transfersto protect the integrity of the data, for example, File TransferProtocol (FTP), Secure File Transfer Protocol (SFTP), and/or Pretty GoodPrivacy (PGP) encryption. In many embodiments, one or more web servicesmay be implemented within the various computing devices. Web servicesmay be accessed by authorized external devices and users to supportinput, extraction, and manipulation of data between the variouscomputing devices in the system 100. Web services built to support apersonalized display system may be cross-domain and/or cross-platform,and may be built for enterprise use. Data may be transmitted using theSecure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol toprovide secure connections between the computing devices. Web servicesmay be implemented using the WS-Security standard, providing for secureSOAP messages using XML, encryption. Specialized hardware may be used toprovide secure web services. For example, secure network appliances mayinclude built-in features such as hardware-accelerated SSL and HTTPS,WS-Security, and/or firewalls. Such specialized hardware may beinstalled and configured in system 100 in front of one or more computingdevices such that any external devices may communicate directly with thespecialized hardware.

Any of the devices and systems described herein may be implemented, inwhole or in part, using one or more computing systems described withrespect to FIG. 2. FIG. 2 shows an example of a computing device 200.Computing device 200 may be similar to first computing device 110 and/orsecond computing device 120, discussed above. Additionally oralternatively, computing device 200 may be similar to server 140.

Computing device 200 may include one or more processors 203. Processor203 may include a single central processing unit (CPU), which may be asingle-core or multi-core processor. Alternatively, processor 203 mayinclude multiple CPUs or a plurality of multi-core processors.Processor(s) 203 and associated components may allow the computingdevice 200 to execute a series of computer-readable instructions toperform some or all of the methods, processes, and/or algorithmsdescribed herein. Processor(s) 203 may be capable of controllingoperations of computing device 200 and its associated components,including RAM 205, ROM 207, an input/output (I/O) module 209, a networkinterface 211, and memory 213. For example, processor(s) 203 may beconfigured to read/write computer-executable instructions and othervalues from/to the RAM 205, ROM 207, and memory 213.

The I/O module 209 may be configured to be connected to an input device215, such as a microphone, keypad, keyboard, touchscreen, and/or stylusthrough which a user of the computing device 200 may provide input data.The I/O module 209 may also be configured to be connected to a displaydevice 217, such as a monitor, television, touchscreen, etc., and mayinclude a graphics card. The display device 217 and input device 215 areshown as separate elements from computing device 200; however, they maybe within the same structure.

The memory 213 may be any computer-readable medium for storingcomputer-executable instructions (e.g., software). The instructionsstored within memory 213 may enable computing device 200 to performvarious functions, including the methods, processes, and/or algorithmsdescribed herein. For example, memory 213 may store software used bycomputing device 200, such as an operating system 219 and applicationprograms 221, and may include an associated database 223.

Although not shown in FIG. 2, various elements within memory 213 orother components in computing device 200, may include one or morecaches, for example, CPU caches used by the processing unit 203, pagecaches used by the operating system 219, disk caches of a hard drive,and/or database caches used to cache content from database 223. Forembodiments including a CPU cache, the CPU cache may be used by one ormore processors in the processor 203 to reduce memory latency and/oraccess time. In such examples, the processor 203 may retrieve data fromand/or write data to the CPU cache rather than reading/writing to memory213, which may improve the speed of these operations. In some examples,a database cache may be created in which certain data from a centraldatabase such as, for example, first database 162 and/or second database164, is cached in a separate smaller database on an application serverseparate from the database server. For instance, in a multi-tieredapplication, a database cache on an application server can reduce dataretrieval and/or data manipulation time by not needing to communicateover a network with a backend database server. These types of caches andothers may be included in various embodiments, and may provide potentialadvantages in certain implementations of retrieving and analyzing fielddata and/or local data, such as faster response times and lessdependence on network conditions.

The network interface 211 may allow computing device 200 to connect to,and communicate with, a network, such as network 130. As noted above,network 130 may be any type of network, including a local area network(LAN) and/or a wide area network (WAN), such as the Internet, a cellularnetwork, or satellite network. Through the network 130, computing device200 may communicate with one or more other computing devices, such asserver 140 and/or data store 160, to exchange data and/or information.The network interface 211 may connect to the network (e.g., network 130)via communication lines, such as coaxial cable, fiber optic cable, etc.,or wirelessly using a cellular backhaul or a wireless standard, such asIEEE 802.11, IEEE 802.15, IEEE 802.16, etc. Further, the networkinterface 211 may use various protocols, including TCP/IP, Ethernet,File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), etc.,to communicate with other computing devices, servers 140, and the like.

Applications and/or users may request data and/or information from aserver, database, etc. In some instances, the application and/or usermay have to be authenticated prior to being granted access to therequested data and/or information. FIG. 3 shows an example of anauthentication process 300 for gaining access to a resource (e.g., data,information, an application, etc.).

As step 342, a first device 110 may transmit a request for an accesstoken to an authentication server 320. The request for the access tokenmay include authentication information, such as a username and password.While a username and password is shown in FIG. 3, it will be appreciatedthat any suitable authentication technique may be used when requestingthe access token from the authentications server 320. In step 344, thefirst user device 110 may discard the authentication information (e.g.,username and password). In step 346, the first device 110 may receive anaccess token from authentication server 320. The access token may be anapplication programming interface key (API key) configured toauthenticate the first device 110 (e.g., a user, developer, or programexecuting on first device 110) to a resource server, such as resourceserver 330. In step 348, the first user device 110 may store the accesstoken. The access token may be stored in a secure memory location. Whenthe first device 110 wants to access the resource, a request for theresource and the access token may be transmitted from the first userdevice 110 to resource server 330 in step 350. In step 352, the resourceserver 330 may authenticate the access token received in the request. Ifthe access token fails authentication (e.g., for being expired orfraudulent), the resource server 330 may deny the request to access theresource. In some instances, resource server 330 may send (e.g.,transmit) a notification to the first user device 110 indicating thatthe request is being denied. However, when the access token isauthenticated, the resource server 330 may provide the first user device110 with access to the resource in step 354. Providing the first userdevice 110 with access to the resource may include providing the firstuser device 110 with requested data and/or information. Additionally oralternatively, providing the first user device 110 with access to theresource may include allowing the first user device 110 to access one ormore applications located on resource server 330.

As noted above, requesting a resource may include a request for dataand/or information. In particular, the request may comprise a pluralityof pieces of information (e.g., name, address, insurance information,etc.) stored in a plurality of heterogeneous data stores. The universalaccess layer may provide applications with access to data stored inthese heterogeneous data stores. FIG. 4 illustrates an example of theuniversal access layer handling requests for data and/or informationfrom an application according to one or more aspects of the disclosure.

FIG. 4 shows an application 410, a universal access layer 414, and adata store 440. As noted above, application 410 may be a front-endapplication and/or a backend application configured to obtain dataand/or information from data store 440. In this regard, application 410may issue a read request as part of the retrieval process. Typicalsystems may scale up by implementing both read and write channels.However, this may prove impractical since most operations tend to beread operations. To address this, the universal access layer 414 mayimplement a Command Query Responsibility Segregation (CQRS)architecture. The CQRS architecture may separate reading and writinginto two different models. This may allow one operation (e.g., reading)to be scaled up without having to scale up writing operations. The CQRSarchitecture that allows one operation (e.g., reading) to scale upwithout having to scale up the other operation (e.g., writing) improvesoverall system performance by reducing the amount of resources used forunused network traffic.

Data store 440 may comprise a first database 442, a second database 444,a file system 446, and/or an archive 448 which may be similar to firstdatabase 162, second database 164, file system 166, and/or archive 168,respectively. In certain non-limiting embodiments, data store 440 mayalso include a cache (not shown). The cache may be any suitable cacheand/or message broker, such as Microsoft® Azure Redis Cache. In thisregard, cache may broker requests and/or responses between the datastore 440 and the universal access layer 414.

Universal access layer 414 may be configured to provide an applicationwith access to data and/or information stored in a plurality ofheterogeneous data stores, such as those located in data store 440. Byusing universal access layer 414, application 410 need not be concernedwith where the data and/or information is stored. Moreover, applicationdevelopers may focus on writing business logic for the applications theyare developing and do not need to worry about writing retrieval logic.This provides an improved ecosystem for application development, whileimproving the speed with which applications obtain data and/orinformation from heterogeneous data stores and the integrity of the dataand/or information retrieved from those data stores.

The universal access layer 414 may comprise a servlet 416. Servlet 416may be an application programming interface (API) that allows theuniversal access layer 414 to communicate and/or interact withapplication 410. In some instances, servlet 416 may be an open sourcecomponent, such as GraphQL. In particular, servlet 416 may receive arequest in a query format (e.g., query structure). The servlet 416 mayexpress the query format in an object schema, for example, by referringto schema 412. In this regard, schema 412 may define a canonical model.The canonical model may define a schema, or common data format, thatallows (e.g., permits) communication between applications that usedifferent data formats. Model methodologies may be considered eitherbottom-up or top-down. Bottom-up modelling methodologies may be theresult of re-engineering and, typically, start with existing datastructures. Bottom-up modelling may be physical andapplication-specific, and also incomplete from an enterprise-wideperspective. Top-down modelling, on the other hand, may be an abstracttechnique for gathering information from experts. In this regard, thesystem may not implement all the entities in a top-down logical model;however, the top-down logical model may serve as a reference pointand/or template for enabling data of varying formats to be exchangedseamlessly. Using the model defined in schema 412, the servlet 416 maybe able to express query structure as an object schema.

Servlet 416 may also comprise query resolver 417 and mutation resolver419. Query resolver 417 and/or mutation resolver 419 may compriseinstructions for transforming an operation into data. For example, queryresolver 417 may transform a request (e.g., query) into data that issuitable for the application data objects 420, described in greaterdetail below. Similarly, mutation resolver 419 may comprise instructionsfor transforming data into a different format more suitable for theapplication data objects 420. In some examples, query resolver 417and/or mutation resolver 419 may communicate with one or moreapplication data objects (ADOs) 420 to transform the received querystructure into an object schema.

ADOs 420 may comprise one or more objects (e.g., libraries, routines,sub-routines, etc.) configured to process the requests for data and/orinformation. As shown in FIG. 4, there are eight ADOs: validation ADO422, authorization ADO 424, business rules ADO 426, exception handlingADO 428, logging ADO 430, transaction management ADO 432, encryption ADO434, and time machine ADO 436. While eight ADOs are shown in FIG. 4, itwill be appreciated that more, or fewer, ADOs may be deployed.

Validation ADO 422 may be configured to validate the format of therequest for data and/or information. In this regard, application 410 mayformat data requests in a format different from the format used by thedata store 440. For example, application 410 may format data, andrequests for data, in a CSV format. However, the data store 440 mayhandle requests in JSON form. As noted, above, universal access layer414 may transform (e.g., translate) the request from the first format toa second format. Validation ADO 422 may verify that the request is inthe proper format. Additionally or alternatively, validation ADO 422 maydetermine whether the request for information complies with thecanonical model defined by schema 412. Validation ADO 422 may transformthe request for data and/or information based on a determination thatthe request does not comply with the canonical model 412.

Authorization ADO 424 may be configured to determine whether a userdevice (e.g., user, application, device, etc.) is authorized to accessthe requested data and/or information. In this regard, authorization ADO424 may verify (e.g., authenticate) a token received with the requestfor data and/or information. In some instances, authorization ADO 424may include a table of authenticated access tokens. Additionally oralternatively, authorization ADO 424 may send (e.g., transmit) theaccess token to a server, such as an authentication server.Authorization ADO 424 may receive a response from the server indicatingwhether the access token is valid or not. When the access token isvalid, authorization ADO 424 may allow the request to pass to one ormore of the data stores. However, when the access token is invalid,authorization ADO 424 may deny the request for data and/or information.In some instances, authorization ADO 424 may notify the application(e.g., application 410) that the request has been denied.

In response to a determination that the application is authorized toaccess the requested information, business rules ADO 426 may parse therequest for data and/or information to extract individual pieces ofinformation. For example, a request received from application 410 mayinclude requests for a plurality of pieces of information. For example,the request may request personally identifiable information (PII)associated with a name (e.g., First Name Last Name), as well as anyinsurance policies associated with the name. In this regard, the PII maybe stored in a first data store and the insurance policies may be storedin a second data store. The first data store and the second data soremay be different data stores. Business rules ADO 426 may parse therequest to determine what information is being requested. After parsingthe request, business rules ADO 426 may determine a first location of afirst piece of information and a second location of a second piece ofinformation. In some instances, business rules ADO 426 may use a look-uptable to determine the first location and/or the second location.Business rules ADO 426 may also combine pieces of data and/orinformation received from a plurality of heterogeneous data stores intoa single response that is returned to the requester (e.g., application410).

After the location of the requested information is determined,encryption ADO 434 may determine whether any of the requests should beencrypted. Requests may need to be encrypted, for example, if therequest is for PII and/or other sensitive and/or confidential dataand/or information. Based on a determination that a request for dataand/or information should be encrypted, encryption ADO 434 may encryptthe request for the data and/or information prior to transmitting therequest to the data store. Similarly, a response received from a datastore may be encrypted. Accordingly, encryption ADO 434 may decrypt theencrypted data and/or information received from the data store prior tocombining the data and/or information into a response provided to therequester (e.g., application 410). If the request does not need to beencrypted, the processing of encryption ADO 434 may be skipped.

After the requests have been divided and encrypted, transactionmanagement ADO 432 may transmit one or more requests to the data store440. For example, transaction management ADO 432 may transmit a firstrequest for a first piece of data and/or information to a first datastore and a second request for a second piece of data and/or informationto a second data store. Similarly, transaction management ADO 432 mayreceive the first piece of data and/or information from the first datastore and the second piece of data and/or information from the seconddata store. In some instances, transaction management ADO 432 mayinclude a table for recording (e.g., tracking) which responsescorrespond to which requests.

If any exceptions occur during the request for data and/or information,exception handling ADO 428 may process those exceptions. Exceptionhandling ADO 428 may determine whether any exceptions occurred.Additionally, exception handling ADO 428 may map error codes toapplication-specific error codes in order to notify the requestingapplication of the error. If exception handling ADO 428 determines thatan exception occurred, exception handling ADO 428 may log the exception.The exception may be logged in one of the plurality of heterogeneousstores in data store 440. Logging ADO 430 may log each of the requestsfor data and/or information and each of the responses. Logging ADO 430may create a record (e.g., transaction record) for each request and/orresponse for recordkeeping purposes. After a predetermined amount oftime (e.g., 1 day, 1 week, 1 month), the records generated by loggingADO 430 may be stored in a file history data store (e.g., archive 448)by time machine ADO 436. In this regard, time machine ADO 436 may storetransaction records for longer periods of time (e.g., 1 year, 3 years, 5years, etc.). Time machine ADO 436 may allow the transaction records tobe searched (e.g., queried). Accordingly, time machine ADO 436 mayprovide historical records of requests and responses for data and/orinformation.

The plurality of ADOs may communicate with data store 440 via one ormore core data objects 438. The one or more core data objects 438 maymap requests and/or responses between the plurality of ADOs and datastore 440. In a non-limiting example, the one or more core data objectsmay comprise low-level logic to generate appropriate queries for thedata store 440 and response for the plurality of ADOs. The low-levellogic may open and teardown connections between the plurality of ADOsand data store 440. Additionally, the low-level logic may generatequeries and format responses for the plurality of ADOs.

A universal access layer may be deployed to allow a plurality ofapplications to access data maintained in a plurality of heterogeneousdata stores. FIG. 5 shows a flow chart of a process for handling arequest for data and/or information according to one or more aspects ofthe disclosure. Some or all of the steps of process 500 may be performedusing one or more computing devices as described herein.

In step 510, a first computing device (e.g., the universal access layerexecuting on one or more computing devices) may receive a request fordata and/or information. The request may be received from a secondcomputing device (e.g., an application executing on the second computingdevice). The request for data and/or information may include, forexample, a request for customer information.

In step 520, the first computing device (e.g., the universal accesslayer executing on one or more computing devices) may determine whetherthe request for data and/or information complies with a canonical model.As discussed above with respect to FIG. 4, the canonical model maydefine a schema, or common data format, to allow (e.g., permit)communication between applications and/or data stores that use differentdata formats. If the request does not comply with the canonical model,the first computing device may transform the request to comply with thecanonical model in step 530. After transformation (or if the requestcomplies with the canonical model), the first computing device maydetermine whether the requester (e.g., second computing device,requesting application, requesting user, etc.) is authorized to accessthe data and/or information in step 540. In this regard, the request fordata and/or information may include an access token (e.g., an API key).The first computing device may authenticate the access token received inthe request. If the access token is not authenticated, the request maybe denied in step 550. If the access token is authenticated, process 500may determine one or more locations of the requested data in step 560.As discussed above, the first computing device may parse the request fordata and/or information to extract the information being sought. Thatis, a single request for data and/or information may be seeking severalpieces of data and/or information. The several pieces of data and/orinformation may be stored in a plurality of different heterogeneous datastores. Accordingly, the first computing device may divide the singlerequest into one or more requests for data and/or information. The firstcomputing device may then use a look-up table to determine the locationof each piece of information requested by the second computing device.

In step 570, the first computing device (e.g., the universal accesslayer executing on one or more computing devices) may determine whetherany of the requests for the data and/or information should be encrypted.If the first computing device determines that one or more of therequests should be encrypted, the first computing device may encryptthose requests in step 580. The first computing device may use anencryption key (e.g., a symmetric key) shared with the data store and anencryption algorithm (e.g., symmetric encryption algorithm) to encryptthe request. Alternatively, the first computing device may use a publicencryption key associated with the data store and an asymmetricencryption algorithm to encrypt the request. After encrypting therequest (or if the request does not need to be encrypted), the firstcomputing device may transmit the requests for data and/or informationto one or more data stores in step 590.

After submitting one or more requests for data and/or information to aplurality of heterogeneous data stores, the universal access layer mayaggregate the data and/or information and provide the data and/orinformation to the requester. FIG. 6 shows a flow chart of a process 600for handling a response to a request for data and/or informationaccording to one or more aspects of the disclosure. Some or all of thesteps of process 600 may be performed using one or more computingdevices as described herein.

In step 610, the first computing device (e.g., the universal accesslayer executing on one or more computing devices) may receive responsesfrom one or more data stores. In step 620, the first computing device(e.g., the universal access layer executing on one or more computingdevices) may determine whether any of the responses need to bedecrypted. If the first computing device determines that one or more ofthe responses need to be decrypted, the first computing device maydecrypt those requests in step 630. The first computing device may usethe decryption technique that corresponds to the encryption algorithmused by the data store. For instance, the first computing device (e.g.,the universal access layer) may use a private key associated with thefirst computing device to decrypt the one or more responses.Alternatively, the first computing device may use a symmetric key sharedwith the one or more data stores. After decrypting the one or moreresponses (or if the responses do not need to be decrypted), the firstcomputing device may combine (e.g., aggregate) each of the responsesinto a single response at step 640. In step 650, the first computingdevice (e.g., the universal access layer executing on one or morecomputing devices) may determine whether any exceptions occurred inobtaining the data and/or information. Based on a determination that oneor more exceptions occurred, the exception may be logged in step 660. Ifno exceptions occurred, then process 600 proceeds to step 670 whereinthe first computing device may transform the response into a formatsuitable for the requester. The transformation may be based on adetermination that the request for information did not comply with thecanonical model. If the request did comply with the canonical model,then the response may not need to be transformed and step 670 may beskipped. In step 680, the first computing device (e.g., the universalaccess layer executing on one or more computing devices) may log therequest for data and/or information and the corresponding response. Instep 690, the first computing device (e.g., the universal access layerexecuting on one or more computing devices) may send the response to therequester.

The universal access layer described herein provides several advantagesand improvements over other abstraction layers. First, app developersmay focus on developing the business logic for developing an applicationthat performs one or more requested functions without having to developthe logic for accessing data from a plurality of heterogeneous datastores. Further, the universal access layer may manage the location ofdata, thereby improving an application's performance by providingrequested data and/or information more quickly. Additionally, theuniversal access layer may ensure that data is not corrupted in exchangebetween the requester and the data store. That is, the universal accesslayer improves the integrity of the data and/or information amongst aplurality of different applications that format data differently. Theseadvantages improve the speed with which applications obtain data and/orinformation from heterogeneous data stores and improve the integrity ofthe data and/or information retrieved from those data stores.

One or more aspects discussed herein may be embodied in computer-usableor readable data and/or computer-executable instructions, such as in oneor more program modules, executed by one or more computers or otherdevices as described herein. Generally, program modules includeroutines, programs, objects, components, data structures, and the likethat perform particular tasks or implement particular abstract datatypes when executed by a processor in a computer or other device. Themodules may be written in a source code programming language that issubsequently compiled for execution, or may be written in a scriptinglanguage such as (but not limited to) HTML or XML. Thecomputer-executable instructions may be stored on a computer readablemedium such as a hard disk, optical disk, removable storage media,solid-state memory, RAM, and the like. As will be appreciated by one ofskill in the art, the functionality of the program modules may becombined or distributed as desired in various embodiments. In addition,the functionality may be embodied in whole or in part in firmware orhardware equivalents such as integrated circuits, field programmablegate arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects discussed herein, andsuch data structures are contemplated within the scope ofcomputer-executable instructions and computer-usable data describedherein. Various aspects discussed herein may be embodied as a method, acomputing device, a system, and/or a computer program product.

Although many example arrangements described herein are discussed in thecontext of insurance applications, aspects described herein may be usedin different industries and for different applications or productswithout departing from the invention. Further, although the presentinvention has been described in certain specific aspects, manyadditional modifications and variations would be apparent to thoseskilled in the art. In particular, any of the various processesdescribed above may be performed in alternative sequences and/or inparallel (on different computing devices) in order to achieve similarresults in a manner that is more appropriate to the requirements of aspecific application. It is therefore to be understood that the presentinvention may be practiced otherwise than specifically described withoutdeparting from the scope and spirit of the present invention. Thus,embodiments of the present invention should be considered in allrespects as illustrative and not restrictive. Accordingly, the scope ofthe invention should be determined not by the embodiments illustrated,but by the appended claims and their equivalents.

What is claimed is:
 1. A method comprising: receiving, from a device, arequest for information in which the requested information includes afirst piece of information and a second piece of information;determining whether the request for information complies with acanonical model; determining, based on a determination that the requestfor information complies with the canonical model, whether the device isauthorized to access the requested information; determining that thefirst piece of information includes personally identifiable informationand the second piece of information includes insurance information data;determining, based on the device being authorized to access therequested information, a first location of the first piece ofinformation and a second location of the second piece of information,wherein the first location and the second location are at different datastores; encrypting a first request for the first piece of information inresponse to the first piece of information including the personallyidentifiable information; transmitting the first request for the firstpiece of information as an encrypted request to a first data store;transmitting a second request for the second piece of information to asecond data store, the second request being an unencrypted request basedon the second piece of information including the insurance informationdata; receiving the first piece of information from the first datastore; receiving the second piece of information from the second datastore; combining the first piece of information and the second piece ofinformation into a response; and transmitting, to the device, theresponse including the requested information.
 2. The method of claim 1,further comprising: transforming the request for information based on adetermination that the request for information does not comply with thecanonical model.
 3. The method of claim 1, wherein determining that thedevice is authorized to access the requested information furtherincludes verifying a token received with the request for information. 4.The method of claim 1, further comprising: denying the request forinformation based on a determination that the device is not authorizedto access the requested information.
 5. The method of claim 1, whereindetermining the first location of the first piece of information and thesecond location of the second piece of information further comprises:parsing the request for information to extract the request for the firstpiece of information and the request for the second piece ofinformation; determining, using a look-up table, the first location ofthe first piece of information; and determining, using the look-uptable, the second location of the second piece of information.
 6. Themethod of claim 1, wherein the first piece of information received fromthe first data store is an encrypted first piece.
 7. The method of claim6, further comprising: decrypting the encrypted first piece ofinformation prior to combining the first piece of information and thesecond piece of information into the response.
 8. The method of claim 1,further comprising: determining whether any exceptions occurred inobtaining the first piece of information and the second piece ofinformation; and logging an exception based on one or more exceptionsoccurring while obtaining the first piece of information and the secondpiece of information.
 9. The method of claim 1, further comprising:transforming the response based on a determination that the request forinformation did not comply with the canonical model.
 10. The method ofclaim 1, further comprising: logging the request for information and theresponse.
 11. One or more non-transitory media storing instructionsthat, when executed by one or more processors, cause the one or moreprocessors to perform steps comprising: receiving, from a device, arequest for information, wherein the requested information includes afirst piece of information and a second piece of information;determining whether the request for information complies with acanonical model; determining, based on a determination that the requestfor information complies with the canonical model, whether the device isauthorized to access the requested information; determining that thefirst piece of information includes personally identifiable information,and the second piece of information includes insurance information data;determining, based on the device being authorized to access therequested information, a first location of the first piece ofinformation and a second location of the second piece of information,wherein the first location and the second location are at different datastores; encrypting a first request for the first piece of information inresponse to the first piece of information including the personallyidentifiable information; transmitting the first request for the firstpiece of information to a first data store; transmitting a secondrequest for the second piece of information to a second data store as anunencrypted request based on the second piece of information includingthe insurance information data; receiving the first piece of informationfrom the first data store; receiving the second piece of informationfrom the second data store; combining the first piece of information andthe second piece of information into a response; and transmitting theresponse including the requested information.
 12. The one or morenon-transitory media of claim 11, further comprising instructions thatcause the one or more processors to perform steps comprising: decryptingan encrypted first piece of information received from the first datastore prior to combining the first piece of information and the secondpiece of information into the response.
 13. The one or morenon-transitory media of claim 11, further comprising instructions thatcause the one or more processors to perform steps comprising:transforming the response based on the request for information notcomplying with the canonical model.
 14. A method comprising: receiving,from a device, a request in which requested information includes a firstpiece of information and a second piece of information; determining thatthe request complies with a canonical model; determining, based on therequest complying with the canonical model, that the device isauthorized to access the requested information; determining that thefirst piece of information includes personally identifiable information,and the second piece of information includes insurance information data;determining, based on the device being authorized to access therequested information, a first location of the first piece ofinformation and a second location of the second piece of information,wherein the first location and the second location are at different datastores; determining that the first piece of information should beencrypted based on the first piece of information including thepersonally identifiable information; determining that the second pieceof information does not need encryption based on the second piece ofinformation including the insurance information data; transmitting afirst request for the first piece of information to a first data storeand a second request for the second piece of information to a seconddata store, the first request being an encrypted request and the secondrequest being an unencrypted request; receiving the first piece ofinformation from the first data store and the second piece ofinformation from the second data store; combining the first piece ofinformation and the second piece of information into a response; andtransmitting, to the device, the response including the requestedinformation.
 15. The method of claim 14, wherein the personallyidentifiable information includes user information of the device, andthe insurance information data includes an insurance policy.
 16. Themethod of claim 14, wherein: the device is a personal computing device;the first request and the second request are transmitted from anenterprise device; and the enterprise device communicates with the firstdata store and the second data store through a secure connectioninaccessible to the personal computing device.
 17. The method of claim14, further comprising: performing an insurance policy calculation usingthe first piece of information and the second piece of information, theresponse includes the insurance policy calculation.
 18. The method ofclaim 14, wherein the first data store is user information database, andthe second data store is at least one of: a claims database; anunderwriting database; or a rate worksheet.
 19. The method of claim 14,wherein determining that the second piece of information does not needencryption is based on the second piece of information being formattedas insurance underwriting data or as rate worksheet data.
 20. The methodof claim 14, further comprising: storing, a first predetermined amountof time after receiving the second piece of information, a record of thesecond request and the insurance information data in a searchable formatfor a second predetermined period of time, the second predeterminedperiod of time being longer than the first predetermined amount of time.